from controlled code to compliant infrastructure.

Building a Security-Focused DevSecOps Pipeline on AWS

Cloud Elemental implemented a fully automated, security-enforced infrastructure deployment pipeline for Luminus, embedding Terraform, GitLab, and Tenable into a governed GitFlow model aligned to AWS best practices and internal security standards.

The Client

Luminus is the second-largest electricity generator and energy provider in Belgium, managing power plants and wind farms while securing external energy sources to ensure a reliable power supply for customers.

Its energy trading platform, Aligne, underpins fast, informed trading decisions in a highly regulated market. However, scaling and operating the platform within on-premises data centres introduced operational and scalability constraints.

Cloud Elemental led the migration of Aligne to AWS. A core requirement of this transformation was a security-enforced deployment pipeline: all Terraform Infrastructure-as-Code had to be scanned by Tenable and validated against internal standards and AWS best practices before deployment – ensuring only compliant, security-approved infrastructure could reach live environments.

The Challenge

Deploying infrastructure at Luminus needed to be automated while ensuring the resources created aligned with the company security standards and AWS best practices.

The solution needed to:

Enforce DevSecOps principles through automation

Ensure Terraform deployments align with Luminus security standards and AWS best practices

Prevent non-compliant infrastructure from reaching Production

Automatically block pipelines in Production and Acceptance if violations are categorised as high risk

Maintain segregation of duties between developers and security tooling

Provide auditability, traceability, and integration with enterprise identity controls

In Production and Acceptance environments, pipelines must be blocked from running if any detected violations are categorised as high risk.

Our Solution

Automated & Secure Infrastructure Deployment

Creating GitLab runners on AWS infrastructure created a secure system to deploy Infrastructure-as-Code through automation while maintaining control of the environment running the Terraform.

This foundation of standardised GitLab pipelines allowed integration with Tenable.

All code on deployment is scanned for any security violations outside Luminus standards and the AWS best practice frameworks.

GitLab & AWS Security Integration

The Tenable integration with GitLab provides a system for developers to have their IaC scanned and any issues immediately raised within GitLab which the developer can review and remediate immediately.

This not only helps developers ensure what they are deploying is up to standard but also prevents any unsuitable code from going live.

In Production and Acceptance environments:

  • Pipelines will be blocked if detected violations are categorised as high risk.

  • High violations force a failure of the pipeline until the code is updated to resolve the issues created in the GitLab repository.

Keeping this segregation of duties ensures a divide between the developer and the security tools while allowing for quick remediation. Developers can scan code, check issues and fix issues through an automated process without needing access to security tools or involvement of security personnel.

GitFlow-Governed Access Control

The pipelines leverage the GitFlow workflow with automated pipelines for AWS resource deployment.

Access to GitLab is structured across three defined roles:

Owner

Full access to all GitLab and pipeline features

Maintainer

Full code push, merge approvals and pipeline access

Developer

Full code access but cannot merge to the main branch – only submit changes for approval

All roles are attached to Azure AD groups for Single Sign-On (SSO). Authentication and access are fully controlled through Luminus AD controls.

Branching & Pipeline Behaviour

The pipelines leverage the GitFlow workflow with automated pipelines for AWS resource deployment.

Access to GitLab is structured across three defined roles:

The Main Branch

  • Contains the official release history
  • Is protected from direct commits

The Develop Branch(es)

  • Sourced directly from the main branch
  • Used to build & test new features

The GitLab Pipeline

  • Is triggered by commits to the main branch
  • Is integrated with Tenable for code scanning
  • Can automatically deploy the IaC into the appropriate environment

All roles are attached to Azure AD groups for Single Sign-On (SSO). Authentication and access are fully controlled through Luminus AD controls.

Automated Security Scanning

Security scanning was embedded directly into the pipeline lifecycle.

Remediation and Deployment of Infrastructure via Terraform

Validation & Planning

  • Validates the Terraform code
  • Generates an execution plan

Security Scanning & Governance

  • Tenable scans the code
  • A vulnerability report is generated
  • Depending on the environment and severity of findings, the pipeline may be blocked

Remediation & Deployment

  • The Developer remediates any security exceptions
  • The corrected code is checked into GitLab and the pipeline runs again
  • The security scan passes
  • The infrastructure is deployed with Terraform

In Production and Acceptance environments, pipelines will be blocked from running if any detected violations are categorised as high risk.

On merge to a protected branch, AWS-specific exceptions (e.g. RDP access from anywhere) are surfaced and must be resolved before deployment can proceed.

Our Results

By implementing a security-focused DevSecOps pipeline on AWS, Luminus established a controlled, automated infrastructure deployment framework aligned to internal governance and AWS best practices. Security enforcement is embedded directly into the CI/CD lifecycle, ensuring compliant infrastructure deployment across environments.

High Availability of Security Controls

  • Security posture is continually enforced ensuring compliance
  • High-risk violations automatically block pipelines in Production and Acceptance environments
  • Only security-approved infrastructure can be deployed

Increased Agility & Reduced Risk

  • Automated scanning and deployment increases agility and speed to market
  • Reduces potential security incidents through pre-deployment validation
  • Developers can remediate issues immediately within GitLab

DevSecOps & Workflow Enforcement

  • Automated scanning and deployment enforces DevSecOps principles
  • GitFlow workflow compliance is embedded into the pipeline
  • Segregation of duties maintained between developers and security tooling

Improved Traceability & Auditability

  • All merges reviewed and controlled through protected branches
  • Security findings raised and tracked within GitLab
  • Full pipeline execution history retained
  • Enhanced accountability across environments

See the full Aligne migration story

This DevSecOps framework formed part of Luminus’ wider migration of Aligne to AWS – improving scalability, resilience and operational efficiency across the platform.

View the Full Luminus Migration Case Study

Ready to strengthen your infrastructure governance?

Whether you’re embedding DevSecOps into your delivery lifecycle, modernising Infrastructure-as-Code, or enforcing security standards across AWS environments, Cloud Elemental helps you deploy securely – without slowing innovation.

Contact Us
More Case Studies